Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
22/10/2023, 15:50
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v2004-20231020-en
General
-
Target
sample.exe
-
Size
146KB
-
MD5
1784d03173fd273f9810be0a48f1f383
-
SHA1
b4354665152723b9fa6e31f07d155265a1d6e2f6
-
SHA256
03097f75904007de33f69ec77e02146fe2a0b3d3b2a923640677bb1f46815b07
-
SHA512
35dad75e13ab4363ee1495e304e58ec11f731da1f8e21ce9690cfd0cff7d77c50f8b9b5584208e315c8cbb71345401e6ffd771427690b2cffcb40b3ec78b7edb
-
SSDEEP
3072:nyPZHpVIYbQf91G3im/2Ef07Jysgk8vRFHoCj1advu07rr/b/V53SgvB+qMDDpvy:n2HpV+8vnvEu0Xrjt5igvy6Qijx3P
Malware Config
Extracted
C:\ProgramData\Merlin_Recover.txt
https://getsession.org/download
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (10319) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 1452 Temp3.tmp -
Loads dropped DLL 1 IoCs
pid Process 1808 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: sample.exe File opened (read-only) \??\T: sample.exe File opened (read-only) \??\V: sample.exe File opened (read-only) \??\W: sample.exe File opened (read-only) \??\Y: sample.exe File opened (read-only) \??\S: sample.exe File opened (read-only) \??\D: sample.exe File opened (read-only) \??\N: sample.exe File opened (read-only) \??\U: sample.exe File opened (read-only) \??\G: sample.exe File opened (read-only) \??\J: sample.exe File opened (read-only) \??\Z: sample.exe File opened (read-only) \??\F: sample.exe File opened (read-only) \??\A: sample.exe File opened (read-only) \??\P: sample.exe File opened (read-only) \??\X: sample.exe File opened (read-only) \??\H: sample.exe File opened (read-only) \??\L: sample.exe File opened (read-only) \??\R: sample.exe File opened (read-only) \??\O: sample.exe File opened (read-only) \??\B: sample.exe File opened (read-only) \??\E: sample.exe File opened (read-only) \??\I: sample.exe File opened (read-only) \??\K: sample.exe File opened (read-only) \??\M: sample.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\THMBNAIL.PNG sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.concurrent_1.1.0.v20130327-1442.jar.Merlin sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk sample.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\Merlin_Recover.txt sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7FR.LEX sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\currency.html sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api.Merlin sample.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\ja-JP\msader15.dll.mui.Merlin sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Kwajalein sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\cpu.js sample.exe File opened for modification C:\Program Files\EditSplit.emf sample.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt.Merlin sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01176_.WMF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_left.png.Merlin sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.Merlin sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.zh_CN_5.5.0.165303.jar.Merlin sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baku sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01236_.WMF sample.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.Merlin sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21310_.GIF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME17.CSS sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\35.png.Merlin sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar.Merlin sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF.Merlin sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SplashScreen.bmp.Merlin sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0283209.GIF.Merlin sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\gadget.xml sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Lima sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\settings.css sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\cpu.js sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\validation.js.Merlin sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01173_.WMF sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full.png.Merlin sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT.Merlin sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\CST6 sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\TOOT.WAV.Merlin sample.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfig.zip sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01548_.WMF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212953.WMF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01838_.GIF.Merlin sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\ShapeCollector.exe.mui.Merlin sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-nodes.jar sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml sample.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\Merlin_Recover.txt sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui sample.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\msdaorar.dll.mui sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECREC.CFG sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\RSSFeeds.html.Merlin sample.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\adcjavas.inc sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02263_.WMF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Elegant.dotx.Merlin sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf sample.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\Merlin_Recover.txt sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\ROGERS.COM.XML sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\weather.js sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\HEADER.GIF sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_thunderstorm.png.Merlin sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2592 schtasks.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2996 vssadmin.exe 1532 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000_Classes\Local Settings rundll32.exe -
Opens file in notepad (likely ransom note) 3 IoCs
pid Process 2976 NOTEPAD.EXE 2548 NOTEPAD.EXE 2784 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe 2496 sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2496 sample.exe Token: SeRestorePrivilege 2496 sample.exe Token: SeBackupPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeAuditPrivilege 2496 sample.exe Token: SeSecurityPrivilege 2496 sample.exe Token: SeIncBasePriorityPrivilege 2496 sample.exe Token: SeBackupPrivilege 2872 vssvc.exe Token: SeRestorePrivilege 2872 vssvc.exe Token: SeAuditPrivilege 2872 vssvc.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe Token: SeTakeOwnershipPrivilege 2496 sample.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 2496 wrote to memory of 2884 2496 sample.exe 29 PID 2496 wrote to memory of 2884 2496 sample.exe 29 PID 2496 wrote to memory of 2884 2496 sample.exe 29 PID 2496 wrote to memory of 2884 2496 sample.exe 29 PID 2496 wrote to memory of 1504 2496 sample.exe 31 PID 2496 wrote to memory of 1504 2496 sample.exe 31 PID 2496 wrote to memory of 1504 2496 sample.exe 31 PID 2496 wrote to memory of 1504 2496 sample.exe 31 PID 2884 wrote to memory of 2592 2884 cmd.exe 33 PID 2884 wrote to memory of 2592 2884 cmd.exe 33 PID 2884 wrote to memory of 2592 2884 cmd.exe 33 PID 2884 wrote to memory of 2592 2884 cmd.exe 33 PID 1504 wrote to memory of 2996 1504 cmd.exe 34 PID 1504 wrote to memory of 2996 1504 cmd.exe 34 PID 1504 wrote to memory of 2996 1504 cmd.exe 34 PID 2928 wrote to memory of 2976 2928 rundll32.exe 46 PID 2928 wrote to memory of 2976 2928 rundll32.exe 46 PID 2928 wrote to memory of 2976 2928 rundll32.exe 46 PID 2496 wrote to memory of 2292 2496 sample.exe 48 PID 2496 wrote to memory of 2292 2496 sample.exe 48 PID 2496 wrote to memory of 2292 2496 sample.exe 48 PID 2496 wrote to memory of 2292 2496 sample.exe 48 PID 2496 wrote to memory of 1808 2496 sample.exe 49 PID 2496 wrote to memory of 1808 2496 sample.exe 49 PID 2496 wrote to memory of 1808 2496 sample.exe 49 PID 2496 wrote to memory of 1808 2496 sample.exe 49 PID 2496 wrote to memory of 3040 2496 sample.exe 53 PID 2496 wrote to memory of 3040 2496 sample.exe 53 PID 2496 wrote to memory of 3040 2496 sample.exe 53 PID 2496 wrote to memory of 3040 2496 sample.exe 53 PID 3040 wrote to memory of 1236 3040 cmd.exe 54 PID 3040 wrote to memory of 1236 3040 cmd.exe 54 PID 3040 wrote to memory of 1236 3040 cmd.exe 54 PID 3040 wrote to memory of 1236 3040 cmd.exe 54 PID 1808 wrote to memory of 1452 1808 cmd.exe 55 PID 1808 wrote to memory of 1452 1808 cmd.exe 55 PID 1808 wrote to memory of 1452 1808 cmd.exe 55 PID 1808 wrote to memory of 1452 1808 cmd.exe 55 PID 2292 wrote to memory of 1532 2292 cmd.exe 56 PID 2292 wrote to memory of 1532 2292 cmd.exe 56 PID 2292 wrote to memory of 1532 2292 cmd.exe 56 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\sample.exe" /F2⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\sample.exe" /F3⤵
- Creates scheduled task(s)
PID:2592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2996
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1532
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\Temp3.tmp"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\Temp3.tmpC:\Users\Admin\AppData\Local\Temp\Temp3.tmp3⤵
- Executes dropped EXE
PID:1452
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update BETA" /F2⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS.exe /Delete /TN "Windows Update BETA" /F3⤵PID:1236
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Merlin_Recover.txt1⤵
- Opens file in notepad (likely ransom note)
PID:2784
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1208
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Pictures\MoveUnpublish.tif.Merlin1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Pictures\MoveUnpublish.tif.Merlin2⤵
- Opens file in notepad (likely ransom note)
PID:2976
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Pictures\Merlin_Recover.txt1⤵
- Opens file in notepad (likely ransom note)
PID:2548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD564d1b77bb61544c8440363d4374c3c65
SHA12925f8f71c44185ceb93939c1dba343e1d77d6d6
SHA2569d7aee82e5e3a93c4d513ba145c72003094a9a833aeec8becffd56a8893259a1
SHA512f15e8918fda73cb45a2a81286e0c16fc754661fe07d9839e070ae0581f23ada1deff3e359f0348410c3ce6511b14d8005b36f813e770270395505d3299ff0af1
-
Filesize
5KB
MD5ab65af4349e7c5b0872c8b808d036980
SHA1414b2a2748b7ea6176c1d2453f89fdc8a2d349d0
SHA256a6c41f368f42a7c57c307a48ce2440a60a744226b6414fadb6517a80a5d160a2
SHA5122c61c56e8c299677bad4ce223e3187200c341aa4dd4503fac1217aa8e15687af03544a6d160bb2b1b131a56ea9df2967e00359aa622f12d1b82605c40cca6679
-
Filesize
5KB
MD5ab65af4349e7c5b0872c8b808d036980
SHA1414b2a2748b7ea6176c1d2453f89fdc8a2d349d0
SHA256a6c41f368f42a7c57c307a48ce2440a60a744226b6414fadb6517a80a5d160a2
SHA5122c61c56e8c299677bad4ce223e3187200c341aa4dd4503fac1217aa8e15687af03544a6d160bb2b1b131a56ea9df2967e00359aa622f12d1b82605c40cca6679
-
Filesize
3KB
MD564d1b77bb61544c8440363d4374c3c65
SHA12925f8f71c44185ceb93939c1dba343e1d77d6d6
SHA2569d7aee82e5e3a93c4d513ba145c72003094a9a833aeec8becffd56a8893259a1
SHA512f15e8918fda73cb45a2a81286e0c16fc754661fe07d9839e070ae0581f23ada1deff3e359f0348410c3ce6511b14d8005b36f813e770270395505d3299ff0af1
-
Filesize
3KB
MD564d1b77bb61544c8440363d4374c3c65
SHA12925f8f71c44185ceb93939c1dba343e1d77d6d6
SHA2569d7aee82e5e3a93c4d513ba145c72003094a9a833aeec8becffd56a8893259a1
SHA512f15e8918fda73cb45a2a81286e0c16fc754661fe07d9839e070ae0581f23ada1deff3e359f0348410c3ce6511b14d8005b36f813e770270395505d3299ff0af1
-
Filesize
1.7MB
MD533ec32822b21688091d34b4773382d00
SHA167c9aad4e4e461ffbd38fa345a9bd7a40f4693a9
SHA2560c7c69255ec2def27e149731680b544fc3c3f5ef8288a0036de9249f2b685465
SHA512ebdde2f7f5296dc83ad1748a174bd72dc4557f7a65bdbccf84466487e1bea2e4b83110559f7101db10b6e667c6d71db1c764ca232eb3d2a533a5927973a6233f
-
Filesize
5KB
MD5ab65af4349e7c5b0872c8b808d036980
SHA1414b2a2748b7ea6176c1d2453f89fdc8a2d349d0
SHA256a6c41f368f42a7c57c307a48ce2440a60a744226b6414fadb6517a80a5d160a2
SHA5122c61c56e8c299677bad4ce223e3187200c341aa4dd4503fac1217aa8e15687af03544a6d160bb2b1b131a56ea9df2967e00359aa622f12d1b82605c40cca6679